[strongSwan] ocsp in ikev2

Sriram sriram.ec at gmail.com
Fri Jan 17 06:45:04 CET 2014


Hello everyone,

I am trying to establish ipsec sessions using ikev2 between two nodes with
ipaddresses 10.206.1.10 and 10.206.1.11. I m using strongswan-5.1.1.
I could establish the sessions using certificates with no issues. Now I
want to make use of ocsp feature supported in ikev2, for that purpose I
added below section in ipsec.conf of both the nodes.

ca strongswan-ca
        cacert=signing-ca-1.crt
        ocspuri=http://10.206.1.11:8880
        auto=add

Then while generating end entity certificates I edited openssl.cnf to
include the below line,
authorityInfoAccess = OCSP;URI: http://10.206.1.11:8880
Same thing was reflected in the end entity certificates.

Also I started ocsp server in 10.206.1.11 with openssl command.
openssl ocsp -index index.txt -CA /etc/ipsec.d/cacerts/signing-ca-1.crt
-rsigner /etc/ipsec.d/cacerts/signing-ca-1.crt -rkey
./CondorSigningCA1/signing-ca-1.key -port 8880

When I tested this, I saw peers exchanging AuthorityInfoAccess as part of
certificate data extensions. But I didnt any exchanges happening between
ocsp server and peer to confirm the validity of certificates. I am
certainly missing some configuration. I intend to make the ca as
certificate validation authority.

 Can any one suggest, what could've gone wrong. Your help in this regard is
appreciated.

Regards,
Sriram.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140117/6261baea/attachment.html>


More information about the Users mailing list